Hello,
We have a few servers running WHM/cPanel 11.38.2 on CentOS 5.10.
Here's the TL;DR:
I have a .htaccess file with rewrite rules in a certain directory. Ideally I want to ignore all .htaccess files in sub-directories under that one, or alternatively add a rule to always use those rewrite rules and ignore rewrite rules in .htaccess files inside sub-directories.
Here are the specifics:
Our PHP application allows admin users to upload content which can contain any arbitrary files (including other PHP scripts or .htaccess files). If a zip file is uploaded as a piece of content, it is simply extracted into the directory for that content, so the zip file could have any number of directories and files inside it. We have some application options that admins can use to restrict access to all content directories to only logged-in users, and also to restrict uploaded PHP code from running. In order to accomplish that, we have a .htaccess file inside the root content directory (called resources) which redirects all requests to a PHP script outside of that directory:
So that file goes into the resources directory, and whenever someone uploads a new piece of content then it will create a sub-directory inside resources and put the content files there. However, I just discovered that if the content contains a .htaccess file with rewrite rules, then our protection scheme gets completely bypassed, it no longer redirects requests to our authentication/authorization script so the protections offered by that auth_resource.php file no longer come into play.
Ideally, I would like to be able to add additional rules to the .htaccess file inside the resources directory to simply tell Apache to ignore all .htaccess files inside any sub-directory, I don't want user-uploaded files to change Apache directives at all. If that isn't possible, then it would at least be better to have a directive that tells Apache to always use the rewrite rules inside the resources .htaccess file and ignore any other rules, so that at least we can make sure that our authorization script is never going to be bypassed when that feature in the application is enabled.
Do I have any solution for this other than scanning all content directories to delete uploaded .htaccess files?
Thanks
We have a few servers running WHM/cPanel 11.38.2 on CentOS 5.10.
Here's the TL;DR:
I have a .htaccess file with rewrite rules in a certain directory. Ideally I want to ignore all .htaccess files in sub-directories under that one, or alternatively add a rule to always use those rewrite rules and ignore rewrite rules in .htaccess files inside sub-directories.
Here are the specifics:
Our PHP application allows admin users to upload content which can contain any arbitrary files (including other PHP scripts or .htaccess files). If a zip file is uploaded as a piece of content, it is simply extracted into the directory for that content, so the zip file could have any number of directories and files inside it. We have some application options that admins can use to restrict access to all content directories to only logged-in users, and also to restrict uploaded PHP code from running. In order to accomplish that, we have a .htaccess file inside the root content directory (called resources) which redirects all requests to a PHP script outside of that directory:
Code:
Options FollowSymLinks
RewriteEngine On
RewriteRule .* ../auth_resource.php?__f=$0 [L,QSA]
Ideally, I would like to be able to add additional rules to the .htaccess file inside the resources directory to simply tell Apache to ignore all .htaccess files inside any sub-directory, I don't want user-uploaded files to change Apache directives at all. If that isn't possible, then it would at least be better to have a directive that tells Apache to always use the rewrite rules inside the resources .htaccess file and ignore any other rules, so that at least we can make sure that our authorization script is never going to be bypassed when that feature in the application is enabled.
Do I have any solution for this other than scanning all content directories to delete uploaded .htaccess files?
Thanks